jscriptpatch.cpp-IE漏洞补丁

// jscriptpatch.cpp
//==============================================================
// Patch for the IE createTextRange() vulnerability.
//
// Derek Soeder - eEye Digital Security - 03/24/2006


#define WIN32_LEAN_AND_MEAN

#include <windows.h>
#include <stdio.h>



// TranslateRVAToRawPtr

PBYTE TranslateRVAToRawPtr(
	PBYTE			pbBase,
	DWORD			dwRVA)
{
	PIMAGE_NT_HEADERS	ppe;
	PIMAGE_SECTION_HEADER	psect;
	DWORD			dw;

	//----------------
	ppe   = (PIMAGE_NT_HEADERS)(pbBase + ((PIMAGE_DOS_HEADER)pbBase)->e_lfanew);
	psect = IMAGE_FIRST_SECTION(ppe);

	for (dw = ppe->FileHeader.NumberOfSections; dw != 0; dw--, psect++)
	{
		if (dwRVA >= psect->VirtualAddress && (dwRVA - psect->VirtualAddress) < psect->SizeOfRawData)
			return pbBase + (dwRVA - psect->VirtualAddress + psect->PointerToRawData);
	} //for(dw)

	return NULL;
} //TranslateRVAToRawPtr()



// CreateJScriptPatchDLL

BOOL CreateJScriptPatchDLL(
	char			*szOriginalDLL,
	char			*szPatchDLL)
{
	HMODULE			hmod;
	DWORD			cbmodsize;
	PIMAGE_NT_HEADERS	ppe;
	PIMAGE_SECTION_HEADER	psect;
	DWORD			dwsectnum;

	PDWORD			pdw;
	PVOID			pvend;
	DWORD			dw;

	DWORD			dwrva, dwrvadest;
	PBYTE			pb;
	LONG			lofs;
	DWORD			dwlen;
	BOOL			bebp;

	HANDLE			hfile;
	PBYTE			pbdest;
	DWORD			cb;
	DWORD			dwerr;

	//---------------- load the original DLL with virtual alignments and relocations applied
	hmod = LoadLibraryEx(szOriginalDLL, NULL, DONT_RESOLVE_DLL_REFERENCES);

	if (hmod == NULL)
		return FALSE;

	dwrva     = 0;
	dwrvadest = 0;

	//---------------- search for an executable section with sufficient unused space
	ppe = (PIMAGE_NT_HEADERS)(((PBYTE)hmod) + ((PIMAGE_DOS_HEADER)hmod)->e_lfanew);

	if (ppe->Signature != IMAGE_NT_SIGNATURE)
	{
		FreeLibrary(hmod);
		SetLastError(ERROR_INVALID_EXE_SIGNATURE);
		return FALSE;
	}

	psect = IMAGE_FIRST_SECTION(ppe);

	for (dwsectnum = 0; dwsectnum != ppe->FileHeader.NumberOfSections; dwsectnum++, psect++)
	{
		if ( (psect->Characteristics & (IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_CNT_CODE)) !=
		     (IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_CNT_CODE) )
		{
			continue;
		}

		if ( ((psect->Misc.VirtualSize & 0x0FFF) != 0) && 
		     ((psect->Misc.VirtualSize & 0x0FFF) <= 0x1000 - 0x20) && // patch code will be <= 0x20 bytes
		     (psect->SizeOfRawData > psect->Misc.VirtualSize) &&
		     (psect->SizeOfRawData - psect->Misc.VirtualSize >= 0x20) )
		{
			dwrvadest = psect->VirtualAddress + psect->Misc.VirtualSize;
			break;
		}
	} //for(dwsectnum)

	if (dwsectnum == ppe->FileHeader.NumberOfSections)
	{
		FreeLibrary(hmod);
		SetLastError(-1);
		return FALSE;
	}

	//---------------- search image for 0x74-case switch table
	cbmodsize = ppe->OptionalHeader.SizeOfImage;

	pdw   = (PDWORD)hmod;
	pvend = pdw + (cbmodsize / 4) - /*0x74 /*IE 5.0 SP4 only has 0x72 cases*/0x72;

	for ( ; pdw != pvend; pdw = (PDWORD)((PBYTE)pdw + 1))
	{
		if (*pdw >= (DWORD)hmod && (*pdw - (DWORD)hmod) < cbmodsize)
		{
			for (dw = 1; dw != /*0x74*/0x72; dw++)
			{
				if (pdw[dw] < (DWORD)hmod || (pdw[dw] - (DWORD)hmod) > cbmodsize)
					break;
			}

			if ( dw == /*0x74*/0x72 &&		// overlapping cases are a "signature" for the switch table
			     pdw[0x00] == pdw[0x02] &&
			     pdw[0x00] == pdw[0x63] &&
			     pdw[0x00] == pdw[0x64] &&
			     pdw[0x01] == pdw[0x5A] &&
			     pdw[0x17] == pdw[0x1B] &&
			     pdw[0x5E] == pdw[0x5F] )
			{
				break;
			}
		}
	} //for(pdw)

	if (pdw == pvend)
	{
		FreeLibrary(hmod);
		SetLastError(-1);
		return FALSE;
	}

	//---------------- search case 0x23 code for VT_EMPTY assignment instruction
	pb = (PBYTE)(pdw[0x23]);

	lofs  = 0;
	dwlen = 0;
	bebp  = FALSE;

	for (dw = 0x40; dw != 0; dw--, pb++)
	{
		if (pb[0x00] != 0x66)				// 66h: operand size prefix ('vt' is a WORD-size field)
			continue;

		if (pb[0x01] == 0xC7)				// C7h/0: MOV mem, imm
		{
			switch (pb[0x02])
			{
			case 0x44:				// ModRM=44h: 8-bit offset, SIB
				if (pb[0x03] != 0x24 || pb[0x05] != 0 || pb[0x06] != 0) // SIB=24h: ESP
					continue;
				lofs  = (LONG)*(char*)(pb + 0x04);
				dwlen = 0x07;
				bebp  = FALSE;
				break;

			case 0x45:				// ModRM=45h: 8-bit offset, EBP
				if (pb[0x04] != 0 || pb[0x05] != 0)
					continue;
				lofs  = (LONG)*(char*)(pb + 0x03);
				dwlen = 0x06;
				bebp  = TRUE;
				break;

			case 0x84:				// ModRM=84h: 32-bit offset, SIB
				if (pb[0x03] != 0x24 || pb[0x08] != 0 || pb[0x09] != 0) // SIB=24h: ESP
					continue;
				lofs  = *(LONG*)(pb + 0x04);
				dwlen = 0x0A;
				bebp  = FALSE;
				break;

			case 0x85:				// ModRM=85h: 32-bit offset, EBP
				if (pb[0x07] != 0 || pb[0x08] != 0)
					continue;
				lofs  = *(LONG*)(pb + 0x03);
				dwlen = 0x09;
				bebp  = TRUE;
				break;

			default:
				continue;
			}
		}
		else if (pb[0x01] == 0x83)			// 83h/4: AND mem, simm8
		{
			switch (pb[0x02])
			{
			case 0x64:				// ModRM=64h: 8-bit offset, SIB
				if (pb[0x03] != 0x24 || pb[0x05] != 0) //SIB=24h: ESP
					continue;
				lofs  = (LONG)*(char*)(pb + 0x04);
				dwlen = 0x06;
				bebp  = FALSE;
				break;

			case 0x65:				// ModRM=65h: 8-bit offset, EBP
				if (pb[0x04] != 0)
					continue;
				lofs  = (LONG)*(char*)(pb + 0x03);
				dwlen = 0x05;
				bebp  = TRUE;
				break;

			case 0xA4:				// ModRM=A4h: 32-bit offset, SIB
				if (pb[0x03] != 0x24 || pb[0x08] != 0) // SIB=24h: ESP
					continue;
				lofs  = *(LONG*)(pb + 0x04);
				dwlen = 0x09;
				bebp  = FALSE;
				break;

			case 0xA5:				// ModRM=A5h: 32-bit offset, EBP
				if (pb[0x07] != 0)
					continue;
				lofs  = *(LONG*)(pb + 0x03);
				dwlen = 0x08;
				bebp  = TRUE;
				break;

			default:
				continue;
			}
		}
		else	continue;

		if ((lofs & 3) != 0)				// variable will always be DWORD-aligned on stack
			continue;

		if (bebp)
		{
			if (lofs > -0x04 || lofs < -0x800)	// EBP-relative must be negative
				continue;
		}
		else
		{
			if (lofs < 0 || lofs > 0x800)		// ESP-relative must be positive
				continue;
		}

		dwrva = (UINT_PTR)pb - (UINT_PTR)hmod;
		break;
	} //for(dw)

	FreeLibrary(hmod);

	if (dw == 0)
	{
		SetLastError(-1);
		return FALSE;
	}

	//---------------- read original JScript.dll into memory
	hfile = CreateFile(szOriginalDLL, GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL);

	if (hfile == INVALID_HANDLE_VALUE)
		return FALSE;

	cbmodsize = GetFileSize(hfile, NULL);

	if (cbmodsize == INVALID_FILE_SIZE)
	{
		dwerr = GetLastError();
		CloseHandle(hfile);
		SetLastError(dwerr);
		return FALSE;
	}

	pb = (PBYTE)LocalAlloc(LMEM_FIXED, cbmodsize);

	if (pb == NULL)
	{
		dwerr = GetLastError();
		CloseHandle(hfile);
		SetLastError(dwerr);
		return FALSE;
	}

	if (!ReadFile(hfile, pb, cbmodsize, &cb, NULL) || cb != cbmodsize)
	{
		dwerr = GetLastError();
		CloseHandle(hfile);
		LocalFree(pb);
		SetLastError(dwerr);
		return FALSE;
	}

	CloseHandle(hfile);

	//---------------- patch in-memory file and write it to patched DLL
	ppe   = (PIMAGE_NT_HEADERS)(pb + ((PIMAGE_DOS_HEADER)pb)->e_lfanew);
	psect = IMAGE_FIRST_SECTION(ppe);
	psect += dwsectnum;

	pbdest = TranslateRVAToRawPtr(pb, dwrvadest);

	psect->Misc.VirtualSize += 0x20;

	pbdest[0x00] = 0x60;					// PUSHAD
	pbdest[0x01] = 0x8D;					// LEA EDI, [{ESP,EBP}+ofs32]
	pbdest[0x02] = 0xBC;
	pbdest[0x03] = (bebp ? 0x25 : 0x24);
	*(LONG*)(pbdest + 0x04) = (bebp ? lofs : lofs + 0x20);	// (0x20 to compensate for PUSHAD effect on stack)
	pbdest[0x08] = 0x33;					// XOR EAX, EAX
	pbdest[0x09] = 0xC0;
	*(DWORD*)(pbdest + 0x0A) = 0xABABABAB;			// STOSD / STOSD / STOSD / STOSD
	pbdest[0x0E] = 0x61;					// POPAD
	pbdest[0x0F] = 0xE9;					// JMP rel32
	*(DWORD*)(pbdest + 0x10) = (dwrva + dwlen) - (dwrvadest + 0x14);

	pbdest = TranslateRVAToRawPtr(pb, dwrva);

	pbdest[0x00] = 0xE9;					// JMP rel32
	*(DWORD*)(pbdest + 0x01) = dwrvadest - (dwrva + 5);

	hfile = CreateFile(szPatchDLL, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);

	if (hfile == INVALID_HANDLE_VALUE)
	{
		dwerr = GetLastError();
		LocalFree(pb);
		SetLastError(dwerr);
		return FALSE;
	}

	if (!WriteFile(hfile, pb, cbmodsize, &dw, NULL) || dw != cbmodsize)
	{
		dwerr = GetLastError();
		CloseHandle(hfile);
		LocalFree(pb);
		SetLastError(dwerr);
		return FALSE;
	}

	CloseHandle(hfile);

	LocalFree(pb);

	SetLastError(ERROR_SUCCESS);
	return TRUE;
} //CreateJScriptPatchDLL()



// WinMain

int WINAPI WinMain(
	IN HINSTANCE		hInstance,
	IN HINSTANCE		hPrevInstance,
	IN LPSTR		lpCmdLine,
	IN int			nShowCmd)
{
	char			szsystem32[MAX_PATH+8];
	char			szoriginal[MAX_PATH+40];
	char			szpatch[MAX_PATH+40];
	UINT			u;
	DWORD			dwerr;

	//----------------
	if ( lpCmdLine != NULL && ((strstr(lpCmdLine, "/?") != NULL) || (strstr(lpCmdLine, "-?") != NULL)) )
	{
		MessageBox(NULL, ":::/n"
		                 ":::  Microsoft Internet Explorer createTextRange patch/n"
		                 ":::  eEye Digital Security - www.eeye.com - 03/24/2006/n"
		                 ":::/n",
		           "eEye Digital Security", MB_OK);
		return -1;
	}

	//---------------- get %SystemRoot%/system32 path
	u = GetSystemDirectory(szsystem32, sizeof(szsystem32) - 1);

	if (u == 0 || u >= sizeof(szsystem32) - 1)
	{
		dwerr = GetLastError();
		return (dwerr == 0 ? ERROR_PATH_NOT_FOUND : (int)dwerr);
	}

	if (szsystem32[u-1] != '//')
	{
		szsystem32[u] = '//';
		szsystem32[u+1] = 0;
	}
	else	szsystem32[u] = 0;

	_snprintf(szoriginal, sizeof(szoriginal), "%sjscript.dll", szsystem32);
	szoriginal[sizeof(szoriginal)-1] = 0;

	_snprintf(szpatch,    sizeof(szpatch),    "%sjscript-eeye-patch20.dll", szsystem32);
	szpatch[sizeof(szpatch)-1] = 0;

	//---------------- create patched JScript.dll
	if (!CreateJScriptPatchDLL(szoriginal, szpatch))
	{
		dwerr = GetLastError();
		return (dwerr == 0 ? -1 : (int)dwerr);
	}

	return 0;
} //WinMain()